SEC Issues Interpretive Release on Cybersecurity Disclosure

On February 21, 2018, the Securities and Exchange Commission (the “Commission”) published interpretive guidance to assist public companies when considering, drafting and issuing disclosure about cybersecurity risks and incidents (the “interpretive guidance”). The interpretive guidance became effective immediately upon issuance.

The Commission’s interpretive guidance reaffirms and expands upon guidance issued by the Division of Corporation Finance in 2011 (the “Division guidance”) relating to the disclosure of cyber-related matters. The interpretive guidance also addresses two additional topics not covered in the Division guidance, specifically that a company’s disclosure controls and procedures need to cover cyber-related matters and that compliance with insider trading prohibitions must take into account cybersecurity incidents. The Commission’s issuance of interpretive guidance underscores the Commission’s increased focus on cybersecurity and follows on the establishment of the Commission’s Cyber Unit in 2017 to target cyber-related misconduct and repeated statements by Chairman Jay Clayton and other Commission officials that cybersecurity is a priority area for the agency.

Katherine Mooney Carroll’s practice focuses on advising U.S. and international financial institutions on U.S. regulatory matters, including recent reforms pursuant to the Dodd-Frank Act, regulatory aspects of bank M&A, cybersecurity and privacy matters, and compliance with U.S. sanctions and anti-money laundering laws.

Francesco De Biasi’s practice primarily focuses on private enforcement and internal investigations of corporate wrongdoing, with a focus on the requirements under Legislative Decree 231/2001, as well as on corporate, civil, labor law and data protection matters related to white collar crimes.